Castellan-compatible key store is a base service

Per the past year of discussions, culminating in the most recent
mailing list thread[*], it's apparent that providing a consistent
solution for storage of key material and similar secrets by security
features of various OpenStack services is in the best interests of
the project. By providing this guarantee in the base services set,
projects don't need to worry about implementing insecure fallback
alternatives or needlessly duplicating functionality to cope with
the lack of an already-available solution.

[*] http://lists.openstack.org/pipermail/openstack-dev/2018-May/130567.html

Change-Id: Ia46211f41726d5671bf28a632d17fc56965b6fcc

reference/base-services.rst

@@ -37,6 +37,18 @@ the system which may also benefit from using it.
 Current list of base services
 =============================
 
+**A Castellan-compatible key store**
+  OpenStack components may keep secrets in a key store, using Oslo's
+  Castellan library as an indirection layer. While OpenStack provides a
+  Castellan-compatible key store service, Barbican, other key store backends
+  are also available for Castellan. Note that in the context of the base
+  services set Castellan is intended only to provide an interface for
+  services to interact with a key store, and it should not be treated as a
+  means to proxy API calls from users to that key store. In order to reduce
+  unnecessary exposure risks, any user interaction with secret material
+  should be left to a dedicated API instead (preferably as provided by
+  Barbican).
+
 **An oslo.db-compatible database**
   OpenStack components store data in a database, using oslo.db as an
   indirection layer. While most OpenStack deployments use MySQL, other